By: Tristan Jenkinson
Last week, the Irish Data Protection Commission (“DPC”) announced that they had launched an inquiry into “Google’s processing of location data and transparency surrounding that processing”. You can see the press release here and read more from Reuters here.
This is not the first involvement that the DPC have had with Google in relation to location data. In August 2018 the DPC issued a statement in response to a report from the Associated Press raising issues with Google’s use of location data. The statement concluded that Google had committed to a response and that “Once in receipt of that response, the DPC will assess the position and take all appropriate steps”. You can see this press release here. It would appear that the statutory investigation announced by the DPC is part of the appropriate steps that are being taken.
The Associated Press Article
The Associated Press Article that is specifically mentioned by the DPC in its August 2018 statement can be seen here.
The Associate Press claimed that Google recorded location information for its users, even when location services were turned off. They specifically reported that even with location history turned off, many services were still saving users location. Actions such as opening Google maps, running weather apps or even performing searches such as “chocolate chip cookies” or “kids science kits” were identifying the user’s location (to the nearest square foot) and saving it. Associated Press state that their findings were verified by computer-science researches at Princeton University.
The Use of Location Data
Many people may feel that this is not a huge problem. Aside from the intrinsic privacy issues, there is another story that I wanted to link in here to demonstrate why this could be considered to be an issue and why we might want to be more concerned about what is happening to our location data.
Federal agencies in the US are using mobile device location data for immigration and border enforcement. This story was originally reported in the Wall Street Journal late last week. You can see the original article here (may require subscription). The Wall Street Journal report was covered by Business Insider here.
According to the Wall Street Journal article, the Trump administration purchased licenses from Venntel Inc. (affiliated with location intelligence company Gravy Analytics) to access a database containing millions of user’s location data. This information was then apparently used to identify individuals who may have illegally entered the country, to locate them and then later arrest them.
The Wall Street Journal also reports that the location data is collected from mobile games as well as weather and shopping apps where users have (apparently) agreed to share their location.
Misuse of Location Data and the Power of OSINT
The mobile data available from the Venntel database likely contains no direct links to users. However, this does not mean that known individuals could not be identified and then targeted.
If you have a list of anonymous users and their location history for the last 30 days, then you would likely only need a few reference points to identify the data of a specific individual – assuming their data was captured.
For example, say we want to target John Smith and identify his location history.
Let us assume that we know;
- He was in the “Knights Arms” pub in Mayfair at 7pm on 6 January 2020
- He was at the Kensington Hotel in Birmingham at 12pm on 12 January 2020
- He was at Buckingham Palace at 3pm on 24th January 2020
Let’s start with the first data point – For users with a location recorded on that day, we can identify those that are too far away from Mayfair for them to be there at 7pm and exclude them. We then do the same for the second and third references excluding more users each time. This should then significantly limit down the pool of potential users that could be John Smith. In this way, we just need enough reference points (assuming his data is indeed tracked).
So how would you know that John Smith was in the Knights Arms on 6th January? There are many ways that this can be accomplished with surveillance etc. but one of the easiest ways is using Open Source Intelligence or “OSINT”.
OSINT is the use of publically available information that can be legally gathered, for example from the internet, libraries, newspaper articles etc. This is a subject that I plan to discuss further in a separate article.
It may be that John Smith posted on Facebook that he was drinking with friends at the Knights Arms, that his LinkedIn account identified that he was attending a conference at the Kensington Hotel and his Instagram account posted a photograph of him at Buckingham Palace. Depending on the privacy settings, all of these sources could be publically available, in which case anyone could place John Smith at these places on the relevant dates and times.
This means that despite the data itself not identifying users, it may still be possible for the users to be identified, then the location data misused to track that individual without their knowledge.
The Brave Complaints
Before concluding, there is also a separate set of complaints to the DPC and the UK’s Information Commissioners Office (“ICO”) that should be mentioned.
Johnny Ryan of Brave Software raised complaints with both the DPC and the ICO in September 2018. These complaints related to Google’s use of real-time bidding (advertising auctions). In response the DPC (in May 2019) announced a probe into “suspected infringement”.
Brave.com reported that there was a vast amount of personal data that could be shared by Google, including information about what you are reading, watching or listening to, details about your device, and your location.
Dr Ryan has continued to document and supply additional evidence and information to the DPC. You can read more about the Brave complaints here.
The use of location data by the US authorities demonstrates that location data is in demand and is being used, legally, for several purposes. While not cheap, it appears that such data is available for purchase on the open market. This does raise the issue of how easily that data could potentially be abused.
If location data is being broadcast, as alleged in the Brave Complaints, many of the receiving parties could be building up similar databases to those used by the US authorities, but supplemented with additional information – unknown by users.
Google has previously been fined with regard to a lack of legal basis for processing and transparency (the same issues named by the DPC in this matter) when the French data protection authority, CNIL fined them €50m.
This could be another interesting GDPR case as it unfolds.